You are here:

Access to Personal Information

May 2013

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.

I. Relevant Statutory Provisions

Principle 4.9: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

Principle 4.9.1: Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.

Principle 4.9.2: An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

Principle 4.9.3: In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.

Principle 4.9.4: An organization shall respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

Principle 4.9.5: When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

Principle 4.9.6: When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

Section 8(1): A request under clause 4.9 of Schedule 1 must be made in writing.

Section 8(2): An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

Section 8(3): An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Section 8(4): An organization may extend the time limit (a) for a maximum of thirty days if (i) meeting the time limit would unreasonably interfere with the activities of the organization, or (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or (b) for the period that is necessary in order to be able to convert the personal information into an alternative format.

In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

Section 8(5): If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

Section 8(6): An organization may respond to an individual’s request at a cost to the individual only if (a) the organization has informed the individual of the approximate cost; and (b) the individual has advised the organization that the request is not being withdrawn.

Section 8(7): An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under Part 1 of PIPEDA.

Section 8(8): Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under Part 1 of PIPEDA that they may have.

Section 9(1)Footnote 1: Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Section 9(3): Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if (a) the information is protected by solicitor-client privilege; (b) to do so would reveal confidential commercial information; (c) to do so could reasonably be expected to threaten the life or security of another individual; (c.1) the information was collected under paragraph 7(1)(b); (d) the information was generated in the course of a formal dispute resolution process; or (e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.

However, in the circumstances described in (b) or (c) above, if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

Section 9(5): An organization that decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1) shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.

II. General Interpretations by the Courts

In response to an access to personal information request, organizations need only search for and provide those records related to the conduct of their business, not those sent between employees for personal reasons. (Johnson v. Bell Canada, 2008 FC 1086)

An organization receiving a broad request for access to personal information has two options: (1) it can inquire of the party making the request if the party can be more specific as to the information requested, in which case the requesting party has an obligation to cooperate in defining the request, or (2) it can conduct a reasonable search of information it can reasonably expect to be responsive to the request. Where that latter course is chosen, and absent further evidence, there is no reason to conduct a search for messages falling outside the scope of what the organization reasonably believes it would collect, use and disclose in the course of its business operations. (Johnson v. Bell Canada, 2008 FC 1086)

If the party who made an access request claims that there is other information that has not been produced, the burden lies on the requester to establish at least a prima facie case that the search was inadequate. (Johnson v. Bell Canada, 2008 FC 1086)

“It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information.” (Johnson v. Bell Canada, 2008 FC 1086)

“From a practical and pragmatic standpoint, what subsection 8(8) of PIPEDA requires of an organization is that it retain that information that it has discovered in its search that is or may be responsive to the request, until the person making the request has exhausted all avenues of appeal.” (Johnson v. Bell Canada, 2008 FC 1086)

Merely informing a third party that information has been amended without sending the amended information to the third party is not sufficient to satisfy the requirement set out in clause 4.9.5 of PIPEDA. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)

Handwritten notes of a doctor taken during an independent medical examination performed at the request of an insurance company may be subject to an access request. (Wyndowe v. Rousseau, 2008 FCA 39)

III. Application by the OPC in Different Contexts

Whether an organization can be said to meet its access obligations under PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the access principle has been interpreted and applied by the OPC and some of its findings derived from different contexts.

Policies, Practices, and Procedures

An organization should have procedures in place to ensure that an access to personal information request is properly processed.

A complainant who requests access to all personal information relating to him or her should be provided with all information that the organization can provide to the complainant. If the organization has the information and there is no reason to deny access, it should release all the responsive information even though certain documents were not specifically requested.

When an organization responds to an access request, it should give an indication of where it looked for the requestor’s information and the types of information it holds. Organizations should be forthcoming in providing details regarding the sources of information and to whom information has been disclosed.

When in receipt of a request for access to personal information, organizations must respond in a meaningful way, even if only to indicate that they have already provided the individual with all of their information.

For personal information implicated in a specific access request, organizations should consider, and where necessary, override their regular deletion/retention practices until such time as the individual has exhausted any recourse underPIPEDA to get access to that information.

The requested information shall be provided in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

Principle 4.9.4 clearly puts the onus on the organization to explain information in understandable terms to the individual andPIPEDA makes no provision for an organization to refer the individual to another organization for that purpose.

If information about a third party is severable from the record pertaining to an individual’s access request, the organization must sever the information about a third party and give the individual access to his or her personal information.

When receiving an individual’s access request, the organization should determine as quickly as possible whether it will be able to complete the request within the initial time limit allowed byPIPEDA. If it believes it has insufficient time and requires an extension, the organization must advise the complainant in writing no later than 30 days after the date of the access request, advising the complainant of the new time limit, the reasons for extending the initial limit and the complainant’s right to make a complaint to the Commissioner with regard to the extension.

Fees are not to be used by organizations to discourage requests; an organization should consider charging fees for processing a request only when the request is exceptional, and then only at minimal cost.

Even if the organization informs the complainant of the approximate cost of responding to an access request, the amount must be considered minimal. AlthoughPIPEDA does not define "minimal" the implication is that the fee should be a token one.

Under paragraph 9(3)(a) ofPIPEDA, an organization can withhold access to personal information if it is subject to litigation privilege. Litigation privilege is a component of solicitor-client privilege; it protects materials brought into existence for the dominant purpose of litigation or reasonably anticipated litigation.

Individuals involved in ongoing civil litigation who have been denied access to their personal information for reasons of solicitor-client privilege can more appropriately use civil court procedures to address the matter of the claimed privilege. In such cases, individuals can bring a motion to the Court to obtain a binding ruling on the appropriateness of the privilege being asserted on their personal information.

9(3)(b) – confidential commercial information

Information generated by a bank’s investigation of alleged credit card fraud can be considered to be confidential commercial information, where commercial interests of the organization could suffer irreparable harm if the information is released and preservation of confidentiality constitutes a sufficiently important interest.

The Commissioner did not agree that information regarding compensation paid to the complainant and the costs related to his claim with the province's workplace safety board constituted confidential commercial information.

The Commissioner found that an organization had properly exercised its discretion to rely on paragraph 9(3)(c.1) in denying the complainant access to personal information the organization had collected for reasonable purposes related to an investigation into a breach of an employment agreement. The complainant’s knowledge and consent in the matter would have compromised the availability and accessibility of the information.

Notes generated in the process of conducting a medical evaluation to assist an insurer in determining the complainant's eligibility for benefits were not considered to have been “generated in the course of a dispute resolution process”.

An organization was found to have met its obligations under Principle 4.9.6 when it gave an individual the opportunity to provide a statement regarding a disputed entry, which the organization then recorded and attached to the individual's credit file and transmitted to any third parties having access to the individual's credit information.

Paragraph 7(1)(b) of PIPEDA provides that that for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.